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Objective: 


The primary objective is to gain out of band SSL decryption on an emulated Android 
device, which is best achieved via pushing a proxies CA certificate to the Android 
device as a trusted system CA. To do this, we must have device root access, SU, 
and the ability to write to the file system from ADB. This sounds simple, however it 
can be anything but depending on the device. Fortunately this document makes it 
easy :) 


Summary: 


Because this information was sourced from many different places and had to be 
greatly altered -- | have created this one document to describe a single working 
route to setup and configure an Android emulator on Windows 10 for man-in-the- 
middle SSL decryption using both an HTTP/HTTPS (Burp) and SOCKS5 (Mitmproxy), 
which can also defeat certificate pinning. This will allow for testing mobile app(s) in 
the same manner as web app(s) in terms of request interception with Burp. This 
also does not require ANY physical Android device, which is a perk. 


Prerequisites: 


1. You need local administrator privileges on Windows machine 
A GMAIL account which can be used on the emulator for Google App Store 
3. Android Emulator: Download and install “Nox Player” 
a. https://www.bignox.com 
4. OpenSSL.exe: Download Pre-compiled Win32/64 libraries 
b. https://wiki.openssl.org/index.php/Binaries 
5. Burp Suite and/or Mitmproxy 
c. Burpsuite -_https://portswigger.net 
d. Mitmproxy -_https://mitmproxy.org 


N 


Nox Player (Root Access): 


First we need to root the device so we can modify it the way we want to. 


6. After installing Nox Player and launching it, you will need to get your Google 
account configured so you can get into the Play store and other such things. 
| think that is pretty straightforward. 

7. At the top of Nox, you will see a gear. Under “phone model and Internet”, set 
the default model to ‘Samsung Galaxy S7’ and Save. This will likely restart 
Nox. 

8. When it’s back up, click the gear again and under “General settings”, check 
the “Root” box. One of the reasons | selected Nox after trying many 
emulators is that gaining root access is literally a check box. This will restart 
Nox again. 

9. You should now be in a rooted version of Nox. 


Nox Player (Developer Mode): 


We do this to connect ADB (Android Debug Bridge) for installing a trusted CA 
certificate. 


10.0n the Android home screen (which you can get back to by clicking the 
house-looking icon at the bottom right), go into the Tools folder then Settings. 

11.Scroll down to where it says “About Tablet” and click that. 

12.Scroll down to the bottom where it says “Build number” and click this slowly 
7 consecutive times. You should see a count-down to “developer mode”, and 
once clicked enough the device will be in developer mode. 


Nox Player (Network Connection): 


We do this so all of the devices network traffic flows through our proxy. 


13.Go back to the home screen and open up the browser. Go somewhere and 
make sure your internet is working. By default, Nox will create a bridged 


network connection so the IP address of your host running Nox will be 
accessible. 

14.By default you will likely have a wireless network connection called 
“WiredSSID”. Long click this connection and select ‘Modify Network’. 

15.Enter the IP address of the system you plan to run Burp Suite or Mitmproxy 
on in the proxy hostname box. Do not enter localhost or 127.0.0.1 here, you 
need the local network IP address (EG: 192.168.1.100). 

16.Enter the port you will run the proxy on - this is typically 8080 by default for 
both Burp Suite and Mitmproxy. 

17.Hit Save. This will kill your internet connection in Nox until we get the other 
software running. 

18.Leave Nox Player open. 


Burp Suite (Proxy): 


We do this so the proxy gets the data from Nox, and Nox needs to trust our proxy 
certificate. 


19.Install Burp Suite. Once up and running, click on the Proxy tab. 

20.Go to the Intercept sub-tab under proxy and make sure that intercept is off. 

21.Now go to the Options sub-tab. 

22.There should be a proxy listener setup already on the loopback address for 
port 8080. 

23.Select the listener and click “Edit”. 

24.Specify the desired port or whichever you entered into Nox. 

25.Under “Bind to Address”, select your local IP address, EG: 192.168.X.X. This 
can vary depending on your network, but do not select the local address or 
the WAN address. 

26.Hit OK. 

27.Still on the Options sub-tab under Proxy, in the Proxy Listeners section, click 
“Import/Export CA Certificate” and export the cert in “DER” format to the 
same location you extracted OpenSSL to. Call it “burp.der”. 

28. Burp Suite is now ready to rock. 


OpenSSL (Hash Certificate): 


Android apparently refers to certs by a hashed file name. We need to generate this. 


29.O0pen CMD.exe and navigate to the place you extracted the OpenSSL.exe and 
saved the Burp Suite .DER certificate to. 

30.Type the following: “Openssl x509 -inform DER -subject_hash_old -in 
burp.der” <enter> 

31.The command assumes you have the burp.der in the same folder as 
OpenSSL, and the response should look like the screenshot below. 


C:\Temp>Openssl x509 -inform DER -subject_hash_old -in burp.der 
WARNING: can't open config file: /usr/local/ssl/openssl.cnf 
S9a5ba575 


MI IDpzCCAo+gAwIBAgIEWIUxrDANBgkqhkiG9w@BAQsFADCBijEUMBIGALUEBhML 
UG9ydFN3aWdnZXIxFDASBgNVBAgTC1BvcnRTd21nZ2VyMRQWEgYDVQQHEWtQb3J@ 
U3dpZ2d1cjEUMBIGA1UEChMLUG9ydFN3aWdnZXIxFZAVBgNVBAsSTD1IBvcnRTd21n 
Z2Vy IENBMRcwFQYDVQQDEW5Qb3JQ@U3dpZ2d1ciBDQTAeFWwe@xNDAIMDQxNDUWM3jBa 
Fw@zMTA1MDQxNDUWM7j BaMIGKMRQwE gYDVQQGEwtQb3J@U3dpZ2d1c7jEUMBIGA1UE 
CBMLUG9ydFN3aWdnZXIxFDASBgNVBAcTC1BvcnRTd21nZ2VyMRQWEgYDVQQKEwtQ 
b3J@U3dpZ2d1cjEXMBUGALUECxMOUG9ydFN3aWdnZXIgQ@ExF ZAVBgNVBAMTD1Bv 
cnRTd21nZ2VyIENBMIIBIjANBgkqhkiG9w@BAQEFAAOCAQ8AMI IBCgKCAQEAn4Z5 
QeAkyDwuBm/WT20VUWw4HKAmx4L IMgOzy8IKIFrvTuUoDg1G4E3m133XZeMyQGZ8I 
gqoJ2bW6SZ5E9Xhwx2NCkzLVpRrVyCbt/siO8PFZV2h1EvUQn1lu4ckuxXu3/jTSsPUF 
iawcKBtjAetKKrw@o0aFA3ECrFTG1Gb821I3uAdnC67Tr38tU@xLF36I3JLRGNpe7S 
bOzhJovJ707k9jf28kUwdHVx9vxY4Cfcj/nsdS5CdziyPYNvDbvgSFyJKj6e9gR4y 
H/Kog3wPYMKuFH1QyUyOKAc jDh3ACGWQqx96KmxYF4IRxgktr7O@NKi4xSqL5wspZ 
RGQF 2iALvG9OI F1CQQIDAQABoxMwE TAPBgNVHRMBAF8EBTADAQH/MA@GCSqGSIb3 
DQEBCwUAA4 IBAQABYGMoDp ImHDhS8XwNdo6rqgxXPkT2fsHOzflaxXU3ZerWuCS2UX5S 
OcNTJ9yrjuHkenr2p/dHINRbykZbfZCPcLqHKbh6u/dLvIDkKpcjav4MOwBuNyrT 
pbGyxPRffI1qzKR1j7M1bie2+V39WAwgG3iLe/rTT1k390DVmds5YgSyxr5JbsR5 
1pGEzeiyjQWqboQTC1QOvVvatIZrB7gtIQb2Z4gr/IgtcbXogc6qbozbgLeCxczq 
Bi6jRe2a3PxAj1IJ suQQZMIMbAY+I xu7NqwWyAqZkbjT+UKp1V8xyGISb2IWoF/Ltj 
7 9Wm6uzPEo0+3KroOBU9kID4zRFVGDzWv/7Fn 
END CERTIFICATE 


C:\Temp>rename burp.der 9a5ba575.0 


32.Now, take the number/hash that the command spit out, such as “9a5ba575” 
and rename your burp.der file by running the command: “rename burp.der 
YOURHASH.O” 

33.Make sure you append the .0 (dot zero) file extension to your hash when 
renaming the file. 


ADB (Install Certificate): 


This step is to push the new certificate into the system trusted CA store. 


34.0pen CMD prompt again and navigate to your Nox bin folder (likely C:\ 
Program Files (x86)\Nox\bin). 

35. Type: “nox_adb shell” <enter> (open our ADB shell) 

36. Type: “su” <enter> (change to super user) 

37. Type: “mount -o rw,remount /system” <enter> (mount the file system as 
writable) 

38. Now open a new CMD prompt window leaving the ADB bridge window open. 

39.Navigate to your OpenSSL folder which contains the new cert with hashed 
name. 

40.Type: “C:\Nox\bin\nox_adb push YOURHASH.0 /system/etc/security/cacerts” 
<enter> 

41.If all went well, you should see something similar to the screenshots below. 

42.Close down the CMD windows. 


C:\Program Files (x86)\Nox\bin>adb shell 
<7<[r<[999;999He|[6n<8dream2lte:/ # 
dream2lte:/ # gu 

dream2lte:/ # mount -o rw,remount /system, 


C:\Temp>adb push 9a5ba575.@ /system/etc/security/cacerts 
[100%] /system/etc/security/cacerts/9a5ba575.0 


Testing Everything: 


Did it work? 


43.At this point, navigate on over to Nox and open up your browser. Request 
some websites. 

44.Ilf all is right in the world, you should now have decrypted SSL payloads in the 
Burp Suite for any application which doesn’t pin certificates. 


Troubleshooting: 


Just trying to help 


e If you are having network problems/connectivity issues, start by turning off 
the windows or defender firewall and see if it's griefing you. 

e Make sure you got the IP address and port number right. 

e If you are seeing certificate warnings, the certificate did not get pushed 


properly. 


SOCKS5 (Mitmproxy): 


45.If for some reason you want to run a SOCKS proxy instead, we only need to 
do a couple of things differently. 

46.The first thing we will do is turn off the network proxy in Nox. This is not 
needed for SOCKS. 

47.Then, we need to install an application to the device called ‘PCAPDroid’. 
Within this applications settings, you can set an address to forward all traffic 
to. PCAPDroid will install as a device VPN and will install its certificate as a 
MITM trusted user cert. It doesn’t try to decrypt the traffic itself, it just 
bounces it. 

48.When you install mitmproxy on Windows and run it, a console window opens. 
You can then access the mitmproxy logs in your browser at localhost:8081. 
But by default the proxy runs on localhost:8080 so running Burp at the same 
time would require a different port number (for one or the other). 


49.In the web console (localhost:8081) with mitmproxy running, in ‘edit 
settings’, you go down to the “mode” switch and can type “socks” there and 
it will run as a SOCKS proxy. 

50.To get the Nox emulator to trust this proxy for decryption, you go through the 
Same steps as above (export Nox cert, run OpenSSL for hash, install it). The 
only difference is that the “-inform” switch must be “PEM” and not “DER” for 
Mitmproxy certs. 
EG: 


While this seems pretty simple, it was abundantly painful trying to find all the right 
pieces to make this work with an emulator, so hopefully this saves someone else a 
good deal of time. 


Defeating Certificate Pinning: 


51.Use 7z to extract the correct version of Frida server for the target device; 
for Nox this is usually 32-bit Android. EG: frida-server-15.1.8-android-x86.xz. 
Extract to your Nox\Bin directory. _https://github.com/frida/frida/releases 

52.Switch to your Nox\Bin directory in CMD prompt 

53.nox_adb push c:\temp\frida-server-15.1.14-android-x86_64 
/data/local/tmp/frida-server 

54.nox_adb root 

55.nox_adb shell chmod 755 /data/local/tmp/frida-server 

56.nox_adb shell /data/local/tmp/frida-server & 

57.Pip install frida-tools (Python is a pre-req here) 

58.Frida-ps -U should list remote processes if working correctly 

59.Download frida-script.js @ https://github.com/httptoolkit/frida-android- 
unpinning to your Nox\Bin folder 

60.frida -U 7345 --no-pause -I ./frida-script.js (where 7345 is the PID to unpin) 


Enable Bluetooth: 


nox_adb shell service call bluetooth_manager 6 


Disable Bluetooth: 


nox_adb shell service call bluetooth_manager 8 


**This is to quickly defeat app checks for bluetooth despite the fact that it doesn’t 
actually work. 


Going forward, you only need to run step 8 and step 10 to defeat certificate pinning. 


Quick Reference 


To simply defeat cert pinning after Frida is installed and setup already: 


Commands: 

C:\Nox\Bin\nox_adb.exe shell /data/local/tmp/frida-server & 
Frida-ps -U 

frida -U 7345 --no-pause -| ./frida-script.js 


Linux Note 


For those of you that want to accomplish this on a Linux box, the process is not very 
different you just need to get Nox, Frida, Burp, and ADB working on Linux and 
ultimately follow the same process; the command line stuff will just be different so 
use the Google if you need help figuring out ADB on Linux, etc. 


